Cybersecurity Alerts, News, and Tips

Profiles in Leadership: Rebecca Wynn

Events
,
Governance & Risk Management
,
Privacy

Global CISO, Privacy Officer Seeks to Always Push the Envelope

Tom Field (SecurityEditor) •
May 20, 2021    

Rebecca Wynn, Global CISO and Privacy Officer

As a global CISO and privacy officer, Rebecca Wynn has earned her stripes. And she’s upfront with her expectations: She will take your security organization to the next level. But she also won’t hesitate to walk away if she sees that cybersecurity commitment is nothing but talk.See Also: Defending Against Malicious and Accidental Insiders
In a video interview with Information Security Media Group as part of ISMG’s RSA Conference 2021 coverage, and as part of the CyberEdBoard’s ongoing Profiles in Leadership series, Wynn discusses:

Her career path and priorities;
Why she hates “checkbox anything;”
What will make her walk away from an opportunity.

As a global CISO and chief privacy officer, Wynn is a “big picture” thinker who has over 20 years of experience in information security, assurance and technology. The recipient of numerous awards, including 2017 Cybersecurity Professional of the Year, she has been described as a “game-changer who is 10 steps ahead in developing and enforcing cybersecurity and privacy best practices and policies.”


Researchers Uncover Another DarkSide Ransomware Variant

Fraud Management & Cybercrime
,
Ransomware

FortiGaurd Labs Describes Variant, Which Is No Longer Active

Akshaya Asokan (asokan_akshaya) •
May 20, 2021    

New DarkSide code found (Source: FortiGuard)

Security researchers at FortiGuard Labs have uncovered another DarkSide ransomware variant with destructive capabilities that enabled attackers to seek disk partition information and encrypt the files in multiple disks. But the researchers say the variant is “unrelated to the Colonial Pipeline campaign” and no longer active.See Also: Live Webinar | Hacking Multifactor Authentication: An IT Pro’s Lessons Learned After Testing 150 MFA Products
The DarkSide gang announced on May 13 it was shutting down its ransomware-as-a-service operation. Another DarkSide malware variant was used against Colonial Pipeline Co., which led to the temporary shutdown of the company’s pipeline serving much of the East Coast (see: DarkSide Ransomware Gang Says It Has Shut Down).
FortiGuard Labs says the recently identified DarkSide malware variant was found in a sample provided by “trusted partners.” It had been used in an attack campaign designed to enable attackers to cause wider disruption.
“This DarkSide variant seeks out partitions on a multi-boot system to find additional files to encrypt, thereby causing greater damage and an increased incentive to pay a ransom to recover files,” FortiGuard researchers note.
Malware Analysis
The newly discovered DarkSide malware variant was efficiently compiled with minimum file size and ability to deliver large payload, FortiGuard researchers say. The malware began its operation by locating a domain controller used for security authentication requests. The malware then looked for Active Directory, the centralized domain manager in Microsoft Windows systems.
Because authentication is required to access the Active Directory, the malware used Lightweight Directory Access Protocol, an open source tool, to authenticate anonymously, the report notes.
“After issuing Active Directory queries, the ransomware then attempts to encrypt files in network shares found in this section of the code,” according to the researchers’ report. “It seems that DarkSide avoids certain queries as it might not be running in the context of an administrator and attempts to access them could potentially trigger an alert.”
The DarkSide variant then scanned the hard drive to check if it is a multi-boot system in order to find additional partitions and try to encrypt files in network shares, FortiGuard researchers note.
“After the malware finds a targeted drive type, it checks the version of Windows it is running on. For systems running Windows 7 and above, the malware looks for volumes with a bootmgr file in it,” the report notes. “For systems older than Windows 7, DarkSide chooses a different approach.
This included calling an API to retrieve additional information about the type, size and nature of a disk partition. If the partition style is identified, the malware then encrypted the files within the drives, the report adds.
Researchers also note the technique used to identify the partition locator and customization based on the victims’ operating systems was also deployed in the NotPetya malware outbreak that impacted organizations worldwide. Unlike NotPetya, which left the infected systems unusable, the newly discovered DarkSide variant left the systems in a semi-recoverable state, according to the report.
DarkSide C&C Servers
When analyzing the IP address of the command and control server associated with the new variant, the researchers determined that it was co-located in the U.S. and Netherlands on the servers of KingServers.
“B.V. KingServers has been classified as a bulletproof host by the infosec community, and although based in the Netherlands, it has ties to Russia, where DarkSide is located,” FortiGuard researchers note. “Specifically, its hosting service was used in several notable attacks, such as attacks on an India-based IT outsourcing firm to perpetrate gift card fraud, as well as for the 2016 DNC attacks in the U.S.
DarkSide Advisory Update
On Wednesday, the Cybersecurity and Infrastructure Security Agency and the FBI updated their joint cybersecurity Aavisory on indicators of compromise to help network defenders find and mitigate activity associated with DarkSide ransomware.


New WastedLocker Variant Exploits Internet Explorer Flaws

Fraud Management & Cybercrime
,
Fraud Risk Management
,
Governance & Risk Management

Bitdefender: Malware Loader Doesn’t Contain Ransomware

Akshaya Asokan (asokan_akshaya) •
May 20, 2021    

WastedLoader exploitation chain (Source: Bitdefender)

A new WastedLocker malware variant, dubbed WastedLoader, is exploiting two vulnerabilities in Internet Explorer to insert malicious advertisements into legitimate websites, the security firm Bitdefender reports.See Also: A Guide to Improving Compliance with Network Automation Technology
Bitdefender says that unlike the previous version of WastedLocker, the new variant doesn’t contain ransomware capabilities and only acts as a malware downloader.
The ongoing campaign, which began in February, is exploiting unpatched Visual Basic Script vulnerabilities in Internet Explorer to target victims in Europe and the U.S, the report notes.

“The exploitation chain starts with a malicious advertisement delivered from a legitimate website,” Bitdefender says. “The malicious advertisement redirects to the landing page of ‘RIG EK.’ That page then serves two exploits and, if one is successful, it executes the malware.”

Attack Tactics
Bitdefender notes the malware begins by blocking JavaScript in the targeted website. The hackers then proceed to exploit CVE-2019-0752, a remote code script engine vulnerability in Internet Explorer, the report notes.
The hackers then execute a long command line that downloads and decrypts the malware. The Rig Kit exploit for this vulnerability has been available since last year after a proof of concept was released by a security researcher.
The second VBScript exploit delivered by RIG Kit builds on a proof of concept for exploiting CVE-2018-8174, which is a vulnerability caused in the way VBScript engine handles objects in memory, the Bitdefender report notes.
The attackers then download WastedLocker malware to enable further exploit. “The delivered malware looks like a new variant of WastedLocker, but this new sample is missing the ransomware part, which is probably downloaded from the C&C servers. Because it works like a loader for the downloaded payload, we named it WastedLoader,” the report notes.
The malware then performs such tasks as anti-debugging, and anti-hooking and and also attains persistence.

Past Attacks
Since May 2020, WastedLocker has been used to target many larger organizations, with the attackers demanding a ransom of $10 million or more, according to Palo Alto’s Unit 42
Between June and September 2020, WastedLocker targeted the information technology, legal, pharmaceutical, manufacturing and transportation and logistics sectors in the U.S. and U.K., the Unit 42 report said.
In July 2020, smartwatch maker Garmin was targeted by WastedLocker. The company paid a ransom after its systems were encrypted, according to news reports (see: Garmin Reportedly Paid a Ransom).
In the same month, WastedLocker targeted dozens of newspaper websites operated by a U.S. media company, according to the security firm Symantec (see: WastedLocker Ransomware Targets US Newspaper Company)
Links to Evil Corp
WastedLocker has been used by threat group Evil Corp since May 2020. The group has targeted banks, financial institutions, retailers and other businesses.
Evil Corp has been implicated in several large-scale spam and phishing campaigns that have been used to distribute Trojans such as Dridex and The Trick as well as Locky and Jaff ransomware, according to security researchers.
In December 2019, two members of the cybercrime group, including the alleged ringleader, Maksim Yakubets, were indicted by the U.S. Justice Department on multiple charges (see: Two Russians Indicted Over $100M Dridex Malware Thefts)


Cost Savings, Better Security Drive Adoption of Emerging Technologies

However, senior technology managers express concerns about whether their current infrastructure can properly safeguard them.Nearly 60% of senior technology managers said they would adopt emerging technologies, such as artificial intelligence (AI), blockchain, cloud, edge and quantum computing, Internet of Things (IoT), and robotics, for improved cybersecurity.The new research from ISACA also shows 73% or respondents cited anticipated cost savings as a driver for adopting these emerging technologies.

ISACA’s “The Pulse: Emerging Technology 2021” report focuses on 13 emerging technologies. Some 53% of respondents said they run cloud-enabled technologies, while the other categories trailed far behind. For example, 22% deploy AI, 21%, deploy IoT, and 20% deploy robotics.
Cost savings will loom large in the C-suite for some time, especially as it pertains to stockholders, says Dustin Brewer, ISACA’s senior director of emerging technologies and innovation. While he sees cybersecurity shifting to become a bigger part of enterprises’ budget, it will fall on security teams to convince board members that spending on cyber is the right thing to do.
“We have to bring every employee, every endpoint on the network into the conversation on how cyber will save money because if we don’t have to pay a $4 million ransom to an entity that put ransomware on our computers, then that saves us $4 million,” Brewer says.

Source: “The Pulse: Emerging Technology 2021” report, ISACA
ISACA’s study also found 82% of respondents are at least somewhat concerned about the ability of their current infrastructure to safeguard emerging technologies. In regard to AI and machine learning (ML) systems, 46% said they are only somewhat confident in their enterprises’ ability to assess the security of these systems, 28% said they are extremely or very confident, and 26% said they are not confident. When asked about security concerns related to quantum computing, 68% said quantum computing will likely break encryption standards within the next five to seven years.
Survey respondents sent somewhat of a mixed message about deploying emerging technologies: While the vast majority said they would do so because it would improve cybersecurity, 44% also said cybersecurity risk would contribute to their overall resistance to deploying the new technology. In addition, 72% said they are concerned that emerging technologies would cost too much.
Much of this comes back to the need for security pros to convince the board to focus more on cyber, Brewer says. But he points out that all the technologies covered in the study, with the exception of quantum computing, are all classical computing technologies built on the same systems the industry has used since the 1970s.
“When the Internet was created, it wasn’t built with security in mind. It was built for communications and data sharing,” Brewer says. “Every time we build something new, we are building on an insecure infrastructure. And while we are creating new protocols like HTTPS, every time you plug in a new system, your network gets bigger, and that’s one thing you have to secure. So if you introduce AI and machine learning, that adds more complexity and cyber-risk.”
Frank Dickson, program vice president with IDC’s cybersecurity products research practice, notes that whether new devices make a network vulnerable just depends on the technology and the company’s environment. In some environments, he says, emerging technologies may replace devices with old and antiquated operating systems that are incredibly vulnerable. Emerging technologies today are built with much greater attention to the cyber integrity of the device, he says. In contrast, some technologies may skip steps to capture first-mover advantages in the market, not slowing to consider security.
“Realistically, whether we are concerned or not, emerging technologies will happen,” Dickson said. “Some 50% of IT spend is now made by line-of-business buyers in the name of digital transformation. Get on the train or get run over by the train; digital transformation does not mind. Emerging technologies will happen though.”
Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full BioRecommended Reading:More Insights


Microsoft releases SimuLand, a test lab for simulated cyberattacks

Microsoft has released SimuLand, an open-source lab environment to help test and improve Microsoft 365 Defender, Azure Defender, and Azure Sentinel defenses against real attack scenarios.
SimuLand test labs “provide use cases from a variety of data sources including telemetry from Microsoft 365 Defender security products, Azure Defender, and other integrated data sources through Azure Sentinel data connectors,” MSTIC Threat Researcher Roberto Rodriguez said.
Lab environments deployed using SimuLab can help security experts “actively test and verify the effectiveness of related Microsoft 365 Defender, Azure Defender, and Azure Sentinel detections, and extend threat research using telemetry and forensic artifacts generated after each simulation exercise.”
SimuLab test environments are designed to help security teams:
Understand the underlying behavior and functionality of adversary tradecraft.
Identify mitigations and attacker paths by documenting preconditions for each attacker action.
Expedite the design and deployment of threat research lab environments.
Stay up to date with the latest techniques and tools used by real threat actors.
Identify, document, and share relevant data sources to model and detect adversary actions.
Validate and tune detection capabilities.
Currently, the only lab environment available for deployment allows researchers to test and improve their defenses against Golden SAML attacks that allow threat actors to forge authentication to cloud apps.
You can share your own end-to-end simulation scenarios by opening new issues on the SimuLand GitHub repository.
Besides working on adding more scenarios, Microsoft also wants to add automation of attack actions via Azure Functions in the cloud, telemetry export and share, Microsoft Defender evaluation labs integration, as well as infrastructure deployment and maintenance using CI/CD pipelines with Azure DevOps.
Lab environments contributed through this open-source Microsoft initiative require an Azure tenant and at least a Microsoft 365 E5 license (paid or trial).

It’s time to go to SimuLand!But it isn’t a new vacation theme park hot spot, it’s a new open-source initiative that will help you deploy a lab environment to reproduce real attack scenarios to test your security defenses.Get the details: https://t.co/IZwtdMLlT0
— Microsoft Security (@msftsecurity) May 20, 2021
Last month, the Microsoft 365 Defender Research team also released an open-source cyberattack simulator dubbed CyberBattleSim.
This simulator allows creating simulated network environments that model how AI-controlled cyber agents (the threat actors) spread through a network after its initial compromise.
“The simulated attacker’s goal is to take ownership of some portion of the network by exploiting these planted vulnerabilities,” Microsoft explained.
“While the simulated attacker moves through the network, a defender agent watches the network activity to detect the presence of the attacker and contain the attack.”


#RSAC: Cyber-threat Landscape “the Worst It’s Ever Been” Due to Nation-State Behaviors

The global cyber-threat environment is the “worst it’s ever been” due to the increasingly reckless behavior of the four major nation-state actors in this area: China, Russia, North Korea and Iran. That was the message of Dmitri Alperovitch, chairman, Silverado Policy Accelerator, and Sandra Joyce, executive vice president, head of global intelligence at FireEye, who provided the annual Global Threat Brief during a keynote session on day 3 of the 2021 RSA virtual conference.

Alperovitch began by describing how 2020 was a particularly challenging year for the cybersecurity sector. “We’ve had the global pandemic, we’ve seen cyber-adversaries of all types take advantage of stress and workload that is brought on to defenders, but also we’ve had the elections, and the cyber-interference that we all expected.”

SolarWinds

The two standout cyber-attacks of the past year – the SolarWinds and Microsoft Exchange incidents – were the first port of call for the two experts in this session. The pair noted the highly targeted nature of the SolarWinds hacks, with Alperovitch commenting that “this was a traditional espionage operation” by the Russian state that targeted foreign governments, particularly areas of the US government, and “other countries that would be used to facilitate access to those government networks.”

He added that a killswitch was in operation to shut down the malware, which was enacted in 99% of the victims – the ones that were irrelevant to their operation – to keep it in “stealth mode” as long as possible. Overall, this attack represents a modernized approach of getting “inside supply chains that are hard to detect and stay in there for long periods of time,” mimicking the previous tactic of using undercover human agents to infiltrate other nations.

Joyce observed that only very specific information was targeted in the attack, with even lucrative data like financial information ignored. “This was an operation to satisfy national-level collection requirements, and that’s espionage,” she stated.
“This was an operation to satisfy national-level collection requirements, and that’s espionage”Microsoft Exchange

The targeted nature of SolarWinds was in stark contrast to the Microsoft Exchange attack this year, believed to be perpetrated by Chinese state actors. What started out in quite a traditional manner, with vulnerabilities exploited to target traditional targets such as dissident groups and Uigurs, turned into going “after literally everyone once they learned that Microsoft was going to patch these vulnerabilities,” explained Alperovitch.

This highly aggressive tactic had the effect of leaving many organizations that didn’t have the capacity to patch quickly very vulnerable to follow-on attacks by other cyber-threat actors. “It’s amazing to see this contrast where Russia is the more responsible actor in this particular case,” commented Alperovitch, adding that “the reckless nature (of the exchange attack) is quite unprecedented.”

China

The pair went on discuss the recent cyber-activities of China more broadly. Perhaps unsurprisingly given the pandemic, Chinese APT groups have been heavily targeting the healthcare/biotech sector, particularly vaccine developers and researchers, with the primary aim of “understanding the decision-making process of countries around the world,” according to Joyce.

Interestingly though, “we’re not seeing a lot of destructive or disruptive capability coming out of China,” in comparison to Iran and Russia. Joyce said this is part of China’s long-term strategy.

Another interesting trend the experts saw with China has been the re-emergence of the PLA (People’s Liberation Army) in cyber-operations recently, including in the Equifax hacks. This is quite a common tactic employed by Chinese APT groups, said Joyce, explaining that when exposed, they often go into “hibernation and retooling” and “what’s emerged is a much more focused and disciplined operation.”

China is also increasingly going after mobile devices to target dissident groups within the country. Joyce commented: “They’re using cyber means in order to perpetrate their political aims,” which “is going to continue into the future.”

Iran

Alperovitch first expressed surprise that Iran largely “held back” from targeting the US in cyberspace throughout last year, despite the assassination of Iranian General Qasem Soleimani at the start of 2020 following a US drone attack.

However, he noted they did interfere in the November presidential elections “in a more aggressive way than the Russians did in cyberspace.” This was exemplified by the Proud Boys spoof email campaign, which attempted to intimidate registered Democratic voters.

This demonstrated “a real evolution in the information operations, where they used cultural elements,” said Joyce, adding that “it really changed our thinking as to what the Iranian government is willing to carry out.”
“It really changed our thinking as to what the Iranian government is willing to carry out”Alperovitch also highlighted the innovative ways Iran is leveraging social network sites like LinkedIn “to identify people within companies that they can target, particularly for espionage purposes – that’s now one of the major ways they’re getting inside organizations.”

North Korea

Turning to North Korea, Alperovitch observed that “when you think about it, they’ve come up with some of the most innovative attacks we’ve seen yet.” This included the model pioneered with their attacks on Sony several years ago – the so-called hack and leak approach.

Joyce also noted how the North Korean government sponsors general cybercrime to gain funding, the first nation-state to employ this kind of crossover. This means groups such as APT838 regularly attempt bank heists around the world, at one point “targeting 16 different financial organizations at once.”

The speakers additionally highlighted that unlike Iran, Russia and China, which often leverage common off-the-shelf tools like Cobalt Strike to help prevent attacks’ being attributed to them, North Korea is increasingly developing and using its own home-grown tools.

This is part of the Juche principle, which emphasizes the need to stay independent from other countries, and is also being demonstrated by North Korea’s development of its own cryptocurrencies.

Finally, Alperovitch noted that North Korea has been “pioneers” in supply chain attacks. “They’ve targeted AV vendors, even cryptocurrency software to insert backdoors into their applications,” he said, adding that “it’s incredible levels of sophistication we’re seeing from North Korea.”

Russia

Interestingly, there was very little in the way of Russia targeting the US elections last year. Nevertheless, Alperovitch said that “we still saw some major activities that were quite disturbing from Russia aside from SolarWinds in 2020.”

This included the targeting of a number of VPN exploits and the noticeable use of the Golden SAML technique in the SolarWinds attack, which “allowed them to mint their own tokens and then have access to multiple applications within the same federated environment,” explained Joyce. The innovative techniques used by Russia in the past year were also very successful at obfuscation, according to Joyce. For example, “they would name their own infrastructure after their target infrastructure so you couldn’t tell the difference.”

Russia has also ramped up its targeting of cloud providers recently, and its heavy targeting of authentication and identity systems “makes it super hard for defenders to actually do incident response, because if the actor’s using legitimate credentials of a real employee inside the network, it’s so difficult to figure out if the action that you’re looking at was done by a legitimate user within the network or by the adversary,” said Alperovitch.

Another hugely concerning activity of Russian state actors has been its growing targeting of critical infrastructure, including notably that of the transportation industry by the Tmep.Isotope group. Joyce emphasized that these types of threats have a huge impact, “not just to the systems themselves but in instilling fear in people.”

Ransomware

Topping any of these activities though, in terms of the threat posed, is ransomware, according to Alperovitch. “It’s impacting everyone on the planet from your grandmother, who now has to find Bitcoins to unlock her family photos, to smaller organizations, small districts and hospitals, to the largest companies,” he outlined.

Joyce noted that ransomware actors are increasingly using shame as a tool to extort their victims, for example threatening to “dump data that they’ve found – they’ll even call competitors and your customers. They want to make sure they can use shame as a tool and that puts organizations in an impossible situation.”

The experts also highlighted that the size of ransom demands has exploded recently, one example being a recent extortion attempt of $50m.

Another interesting observation made by Alperovitch was that “most of these operations, in terms of the hard-core criminals that are developing the malware and capabilities, are in Russia or Russian speaking and many of them are being hidden or in some cases assisted even by the Russian intelligence services.”

Future Trends

Alperovitch and Joyce concluded the session by outlining some of the cyber-threat trends they expect to see in the coming months and years. Most immediately, they predicted the upcoming Olympic Games in Japan will be heavily targeted, as Joyce noted it provides an opportunity “to send a message and do it at scale.”

A more general trend highlighted was that threat actors, particularly the nation-states discussed, are becoming increasingly reckless and shameless, unafraid of the consequences of their actions.

As a result, Alperovitch believes “the threat environment is the worst it’s ever been,” largely because “from a geopolitical perspective, the four primary adversaries we face – Russia, China, Iran and North Korea – our relationship with them from a Western standpoint is the worst it’s been for at least 60 years.”

He noted they have largely stopped caring about a good relationship with the US and have become increasingly reckless as a result. He added: “I really fear for what’s to come with the growing sophistication of these adversaries and also their willingness to push us further and further because they don’t fear the consequences.”


#RSAC: What Makes a Security Program Measurably More Successful?

There are a lot of common activities that security professionals will often associate with enabling a successful security program, but which ones actually work? That’s a question that was answered in a keynote session on May 20 at the 2021 RSA Conference.

Wendy Nather, head of advisory CISOs at Cisco, worked together with Wade Baker, partner and co-founder and professor at Cyentia Institute and Virginia Tech, to conduct a survey and the associated Cisco 2021 Security Outcomes Study. Nather explained that the report looked at 25 different common security practices grouped under three top-level categories: Business & Governance, Strategy & Spending, and Architecture & Operations.

“We wanted to find out, does anything matter in security?” Nather said.

What Makes a Successful Security Program

The good news, according to Baker, is that most common security practices do in fact lead to some kind of positive outcome, though some are more successful than others.

“What we do in security matters. There is good evidence here that these standard practices, all of which by the way are pretty general, do actually achieve the outcomes that people tell us that they want to achieve,” Baker said.

Nather said that, in particular, there were five common practices that were the most connected to an organization’s having a successful outcome:

Proactive tech refresh
Well-integrated tech
Timely incident response
Prompt disaster recovery
Accurate threat detection

What we do in security matters. There is good evidence here that these standard practices . . . do actually achieve the outcomes that people tell us that they want to achieve.Wade BakerNather observed that while the top two common practices are technology related, in that organizations might need to acquire and adopt technology, the other three are more about people and process. She noted that timely incident response, prompt disaster recovery and accurate threat detection are all activities that occur after a security incident occurs.

Baker added that while protection-related activities are still needed, they ranked toward the bottom of the list in terms of being correlated to enabling better outcomes for a security program.

“We do not see this as saying that protection isn’t important,” Baker said. “We see this as more indicative of the fact that we need to build more diverse programs.”

Baker commented that for a long time in security the focus was largely on protection, but now detection, response and recovery are at least equally important. The data from the survey, he noted, is good evidence that things other than protection are critical to security program success.

The Least Correlated Practices for Successful Outcomes

The bottom five practices out of the 25 evaluated according to the study include:

Identify top cyber risks (spot 21)
Secure development approach (spot 22)
Someone owns compliance (spot 23)
Understand security and business (spot 24)
Security measures reviewed (spot 25)

Baker emphasized that while the bottom five practices weren’t as strongly correlated to having a positive security outcome, they are still important to consider. There is also some nuance across the list in that different issues can impact an organization in a specific industry or of a certain size.

“The things that matter most in security change based on an organization’s size, the industry, and the geography that that organization is in,” Baker said. “We saw a lot of variation across these things, so just because something is number one overall doesn’t mean it’s going to be number one for you.”


Just published: SPoC Unsupported Operating Systems Annex

The PCI Security Standards Council (PCI SSC) has published a new, optional, Software-based PIN Entry on COTS (SPoC)™ Annex for Unsupported Operating Systems (“Unsupported OS Annex”) version 1.0. The purpose of this Annex is to provide additional security and testing requirements to allow solution providers to develop SPoC solutions that merchants can use on commercial off-the-shelf (COTS) devices with unsupported operating systems. The Unsupported OS Annex incorporates stakeholder feedback and comments received via a formal request for comment (RFC) period.
In this post we talk with PCI SSC SVP and Standards Officer Emma Sutcliffe about the new Annex.


Slack is down, massive outage blocks user logins and messages

Slack is experiencing a worldwide outage preventing users from posting messages, uploading images, or connecting to their servers.
When some users attempt to connect to Slack, they are greeted with errors stating, “Something’s gone awry, and we’re having trouble loading your workspace.”

Slack server error message
If you are still connected to your Slack server and try to post a message or upload an image, you will be greeted with a message stating, “Slack couldn’t send this message Try again | Cancel,” as shown below.

Messages can’t be sent
Slack is aware of the outage and is working on resolving them:

Trouble loading Slack
Reloading Slack (Command + R / Ctrl + R) may help Slack to load as expected. We’re not out of the woods yet, though, and will continue to share news here as it becomes available.
May 20, 5:27 PM UTC
Some users may be experiencing issues loading Slack. We’re actively digging into this issue and will report back as soon as we have an update to share. We’re sorry for the inconvenience in the meantime.
May 20, 5:17 PM UTC

In our tests, reloading Slack did not fix the issues.
This is a developing story.


Microsoft: Massive malware campaign delivers fake ransomware

A massive malware campaign pushed the Java-based STRRAT remote access trojan (RAT), known for its data theft capabilities and the ability to fake ransomware attacks.
In a series of tweets, the Microsoft Security Intelligence team outlined how this “massive email campaign” spread the fake ransomware payloads using compromised email accounts.
The spam emails lured the recipients into opening what looked like PDF attachments but instead were images that downloaded the RAT malware when clicked.
“The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware,” Microsoft said.
“This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them.”

Image: Microsoft
As the Microsoft Security Intelligence team mentioned in their tweets, the STRRAT malware is designed to fake a ransomware attack while stealing its victims’ data in the background.
G DATA malware analyst Karsten Hahn said in June 2020 that the malware infects Windows devices via email campaigns pushing malicious JAR (Java ARchive) packages that deliver the finally RAT payload after going through two stages of VBScript scripts.
STRRAT logs keystrokes, allows its operators to run commands remotely and harvests sensitive information including credentials from email clients and browsers including Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird.
It also provides attackers with remote access to the infected machine by installing the open-source RDP Wrapper Library (RDPWrap), enabling Remote Desktop Host support on compromised Windows systems.

STRRAT infection chain (G DATA)
However, the thing that makes it stand out from other RATs is the ransomware module that doesn’t encrypt any of the victims’ files but will only append the “.crimson” extension to files.
While this doesn’t block access to the files’ contents, some victims might still get fooled and, potentially, give in to attackers’ ransom demands.
“This might still work for extortion because such files cannot be opened anymore by double-clicking,” Hahn said.
“Windows associates the correct program to open files via their extension. If the extension is removed, the files can be opened as usual.”
As Microsoft found while analyzing last week’s massive STRRAT campaign, the malware developers haven’t stopped improving it, adding more obfuscation and expanding its modular architecture.
Nonetheless, the RAT’s main functionality remained mostly untouched, as it is still used to steal browser and email client credentials, running remote commands or PowerShell scripts, and logging victims’ keystrokes.